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REMARKS 

da_™i ! ' ^' ' 

laO ,5(1 ( 1 \ > v 2 1 , i l > 

t v saterviing as being unp jle o 

\p >!icatiorf/< itrol Ni >er: 1 ( , 54 

\ us k i ( x ui si L -s , <■ n n or clem t ; 3" 

CFR .1 >2 1(c) or J 321 (d) o\ rcon i e rejection up i indicatioi o iiov ess )j< 
matter. 

The e\-:fix» «. v. , * in 2«t under 35 U.S.C. 101 because the claimed invention is 
> r , , ' 1 matter, 

h e\ . n , ■> j i s f i, i f ' - „■ s " . ,t J host" \>hieh 

results in an abstract idea. The claim limitations are merely steps of a computation or a formula, 
fhe limitations of "determining' cam * - h i method where he result is an 

abstract idea ' \pp <,< ui i ><in;ende< claim 24 to claim he method in a eompn;uig device I no 
invention is concrete and tangible and thus the rejection has been overcome. 

^ \ i 2-t o idv 35 I Sa ieis 
s < • s . «... u'Mji i mt 'ii' b'iu,' , n cc , u u ^i, 
pplkvn garden ie ? Mil j 

The examiner contends thai: 'TTjhe limitations "greater than M" and "less than R" are not 
lefm 1 i is not ciea to \vl k <. a < c s > <: ling to trai 
Spcej.hcanc'us " 

S p v i j so ; sd. id! In s 4 m ■> I l > j. v \v \ \ 

describes: A Host k W becomes a "candidate" for a tailed host analysis if both a mean profiled 

<■ <. - --co , , , o * ^ > "K.i','1 V „ u «t< > 

! ^ 1 i v „i e [x ^ i u v _ no ir p tlko 

v ^ 1 n I th !P 3. + i \ 1 
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< k f « n> » m„ * , o i n s c _ j w i „ , , w! w! , 0 11 

x ulut peno-is. I his una lysis c < s x>sit > for quiet ho > sis vuth long periods o 

1 i h v (. ! i ' l v 

The exact values of M and R however are design criteria and are governed based on 
s e ahwwu.oH is > ; r ^ m hu - .mi c \ i i > >a e < , 

improper and should be removed. 

7U- evaomes reie.leh ( a; ns 1-5 and 8-22 under 35 i ; ' ' - t <> -at , 

b\ \l\Umci . v n !> t , \o 2 t : ™ 

t hii : n s s v. N i b,< iM^'rini < "u ( -> oescisv 

,S v I CO Loiot du\ 1CCS ^ \ {< !l 

identify host connect ion pairs from packets that are sent between nodes on a network and an 
aggregator device ... which produces a connection table that maps each node on the network to a 
record that stores information about traffic to or from the node. The examiner stated: 

As per sMm I, malm dhclost* a system, comprising: 

a phiraHtj o( collects d« vices Jh.it are iiispo&ed i rftect sfatHti< as 
iuforniatloa on packets th«f arc «i between nodes on a artwork (page 5, 
p»s-8j»rap{s 1906<)]> arui (Fig. 4. etemeiife 20, 20b). 

;n ai^rtyan,; (p;;:>e 5, a<a apis p;D?n. fees 7-Hi.isu! .pasje 3. p.sragr.rpirs 
V PIS uf i i<M t ) net u m v, ui, (i ; t I , 

devices, and which produces a eimnettioa fabieihat »aps each aodt oa the aetwet* 
t« a record thai stores information about traffic to «r from the »ode f page S, 
paragraphs |(Hte<i} and 10067! !■ 

\ i fails ;o disclose i aggregator device which produces a connection table, a? 
r,nd Main i i sc Uwson^n l< b c •> k out < J or 

IK V W M v. o i < » 1 o , < ^ l - t ) c 

5 n n t <a o , v 1 j ! „ao 

Lcouu ^ \ < \ - 1 " } to n -s v o - iu ( o is s:,'! ■■ ,ea 

s m ! oat es puvxv i.c L.^ u v Mi ar e,k e c ,Kg ate aeen d no * 

i.'C in, e j s M . ii c e. H' r " i . 1 isr u\bmn 

^ 1 t i S ) ' V x \ Iv 

aggregator. 
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v ' \.« v» ~ ao-i Unu^l v reproduced below 



(«06*?| rhs inpai buffe} 20a, ioeatet m coikttof 20 is adapted te nortt dire o 
« «« i m.u >» s ! ,i i ><„i i d >gene i number of 

records "meUidim: the aor ioaJtred data packet flow statistical infonnafion. The 

•< t < ! fif s i ! t i i lit by 

comparing the records to a>; atsomal} pattern and/or ss predetermined threshold. If 
compost nts of dre not ma«zed data packet fims stats oi exceed the 

predeicrmbjed threshold, a data packet slow anomaly is detected. Thereafter, the 
delected da;-.! packet flow an«ma!y and data associated with the data packet flow 
anomaly, such ;<» the source and desthsaSxoa addresses of tlte flotv Information cats 
be stored ia She detector database 20c. 

i»068! The storm profiler racdale 20d is adapted to receive the normalized data 
packet flow statistical iolonnasiot; or record:; from (he sttpttt otdfer "da and so 
genet ale the praietet ;«in< d threshold which is < t nt t«nh tBtfj comHtatikated to the 
storm tietactor module 20 i list ifigu tiott, the prafett nissed threshold 

of 1 ) < ^ t t, ( > <• < I, r ■ 

prtdties of tite ftormabzed data packet flow statistic; > > caved b> iht 
s com tiro ki f . > d i , . s ie j j t ieket 

fl< s > j sttv , u i i haages tlx t es tg< 

bandwidth sitoctded to each of the computer systems Jfiduritsga particular period 
os" time or changes to the ntmdn ! e >. ' • > ■ $16 coo utiiieatiag 
information at the same iastaat of time. 



DlUS, w )t t, \1 i as i 'si o v: lt\ (oi s t i ' la c <. x vt>v 

t si i o ) v. k t s i ding t se 

r t < V I o o sLsc o-. i <rf 

c ttff --o ^ i O 1 1 IIS i i ^ } <• ) t C 1 

sitoc* t sfuntiauor. d : vt)t s:\s ic lo or from the node.'" and hence faib to dosei >c > u >esi the 
clasriied aggregator. 

u s i - ! > In v * )% u •> c i < al 

inlonnation. Accordltig to Malan: 



ilk 4 The psickef fietv statistical oft ^ tt ru lining ott each of the ro«ti»g 
s s 22 v ad 22c enabie ead t < ^ I i 

oo stose data packer e« ^ta - ,< . sts^. 

iitfttrtttatiou casj iocltsdetbeitiindico of packets whiefe have keen eotnonsntcated 
net wests cotnputer systeras id, the d»ntiio» af coram ik ec a each of the 

comptster mtetos 3d, the total tsnsnher of packets communicated over eacb LAN 
{which is typical! used for t paci i s i< jrioas data packe 

to>o< \\.,!,-5ii; ; f irsforrnatioo. 
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\a >K ! ! 0 ^ v i > 1 . v . ' >! v '0 1 

. oo K0 i ' , . tos : < , - v 

1 I i 1 ! ! ! <) v! i t 1 _ 

- f , i !> ! < <U < v. ^ , ,t. i Vr. , 4 , x ^ ' )K'k> 

table. iuita, v\. J >^ it rnUuoi ' 'i^nu, t > • . ilm>! u 

Slow anomaik >\ oparin 1 ; eco Is to an anomaly pattern an< • l predei rrnined 

reshold, * Ag ; e pare ecords {coma s i< a 

infoniiatloi ) to an a s esis i s < 

» a in Is ^ data pitches <] n u t >i t,noi exceed !i t k< 1 1 s >i 

eakf i> o, a , u a < i .1- ; 

Mai an also discloses to thereafter, store "the delected data pat i< e; flow anoroaJj and data 
a^sou* u \iU ! i il 

flow information , . 'Thus, Malan while mentioning that w ' aia packet 

low anoi r nation addus I ed 

t * < i > \ v Mi I < 1 tt 1 p 

c ! ) e to or from the 

i < %\ 1 ' , ! ' < s <! 0 

t )U ! * i ^ i n M ai U!k On , o o ! , 

Mahal hliik v. i u ft ( . i ' 1 , 

from the plurality of collector devices and produces a connection table .... as generally recited in 
i ^ u< < , ^ Va!an. 

\p\ ^ t v. -> <. % » i a . 

N \ r i s v t i ^uo Ma n it e,s h tee a s daauLd kvs 

claim 1 nwevet as < entl ai t. ! t ex dan 2 o\\ ec res hat : i L ern i es 

t , i t > -ices o f 

events, 
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I ,i.'\ar v hv! t u V t dt^lc^? k 1 * .ia of 

ic events ! n < v. p > b rmo be k 

ha; h'ulan octet 1 *s v.„wi s v i t s < is 

O! " u. * i . ol C K v 1 v \ ra ' < h > v l 

he st istica! data collected b> re collectors Accordingly, claim 2 serves to further distinguish 
•QvetMaiaa. 

Claim 3 

i l it i moth caggj t< i tp hcs t 

diU S\ iCi ! ! i * d v lair 4 

which previously recited "communicates occurrences of network events to an operator/' Claim 
3 lias been amended to recite a different feature and in particular recite an analogous feature as 
that disclosed by Malaa, namely, collection of statistical information on packet flows. Claim 3 
»u\\ v I i ^ ; Mala 3 neither describes nor suggests that that 

! n end the connect v ^ o , ,N 

claim 3. 

Oi:::^:S>; : 

Each of these claims serves to farther distinguish over Malan. The examiner stated: 



} < ts I fiif ti t (>', 

As per dams 9. Maiaa eiisdoses the «maectio.a tabte tad arts* a pisirasav of 
s that are Indexes t^tiaa i < K>< ?j i it 5 ; >- 

\s ^« <.! (sps II \i , < •> i v <u \ , t / 

1 > " , • ' ' ' 

U per < i f s t ' e hicsod mi i\ 

paragraph fOO-S-?-. thus SO-;-!}. 

examiner relies on: *' indexed by source address (page 5, paragraph [0067], lines 10-14) ... 

a rescj b\ deve: < e dress upaee ? < . ape y "," L;ks K - 4 . uuo e ^ a , tpape 



ipp Vjassircjihatio Antonio Poletto et a \;\- - > - - < ? S 1 

<-:'. 3 

Filed : November 3. 2003 

Page : I! of 14 



■> f 5 5c' 0 ' I . 1 ~i i li \u' l> m tiuv o'vli - - kMJ . ^ > id U tH 

(page 5, pan rani *es - ^gc , i . i - l t 1 n MaJau are 

reproduced below: 

jO<H>7j ... Thereafter, the -ivii-i usi :<.•;.: packet fiow aaomaiy ami date, 
associated with the date packet flow anomaly, such as the source and destination 
idsh \st> sis >\ i i 1 itkxi cat! he sj i li tabase 26c 

Applicant . w o ku > o» .> ices Malar ui to d m. l > c ud'iigthe 

otioectu H ? i an M an also fells to is >- - ^ 1 ,a J\ 

c< ! eti tat tit ; ph a tyo records thai si n d ^ ot ce ddrt des > 

iddress aid/or ti le use; na < Indcei s s ^ c >ses that the 

oitu u J k 1 a s f i v , i v , i ? v , \ <j i t t'K 

te o! i tn, iknwvei Vppl aafs claim io dneoied t u < iaKo u 
memory, Moreover, Maian discloses that the source aa4 dest . on . res of the ilo w 
information stored in the detector database 20c, as the data. Ma I an says nothing about how the 
data in the detector database 20c is indexed and. clearly in [0067] Malan does not suggest that it 
s >nn< m d l >\ v. < 1 1 at <. j tu e t s ik 

cu- it! 

> kuOf ds>,s i S t< k ! <. < iiO Hi 'I ,0 v . ° Os. " 3 . ft J . dl 0 N 

pit 1 of connection suboabies io track data t different i seaies. The examiner contends 
"i \iJ . f 1 ^ f \ • e >S c O v. U t ! 1 i ! vk 

data at different time scales (page 5. paragraph [0074])." Paragraph ;0074j is reproduced 
below: 

>974 VSm-e precisely, the eiator 24a is adapted a eceive atstl categoriz* 
i it a timber of ta iudiiig easegisnw 

atert areessages rise tabic ! 1 t £ i I « e stored its the 

di tiossag data im _ a wh« s couplet! to the t eiaior module 24a The 
! ! v >r s Kin! 24a is i ! t i ess ges 

v.! ^ 1 H ! <. 1 In v V < ! , CN ( i 

jMtts&gestStatarciracs c i the coai}>utcr »dwark system 10 to a pi -basko 
computer systeus 16. Another example (»!' trend caa he a pioraiity of alert messages 
that meSutte sisnttar eharacterisfe. 
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t < i i t lit n » t x 

el v > \ v. k j \ t n [ i " t •} i r 

• IS < I ! !K!lb,!,'i'\ C 

However, this toe n s t relevant w iho claimed connection table, which maps nodes oi 
j ne \ ork io record obj s ?rc ! fo \ on b u 

iwbomw t us > aile mat nad , ^ > 

MakaK sc:< cs lha \ aene ik < number o abics ? hid >-< tee ctua 

'O'.l V V v 1 \ i Si v )!u it v s v v 1 1 M 

20c w. tucb also* ^' uU vcL ow anornal} ar.c < s uh he data 

SI vi, , 1 v . O 1 i s v ! t iU 

fherefore, M Ian does not suggest muc It sdesc. ibe "the connection table and specifica!!] $ 
«. i s s s at a vk <. i K t Ls i v' f < s t 5 i v 

( lairn 1 > ha \ \ 

>hc< s nil v . i v -. H i ! f f j v . j lit 

iperates >n a Lay \ asm of tunc tban nmc a ico snb-fabk v, ith eaol s. 1 , ale so dun- the sum 
v c om all col s pecti ic. M da ) as dis i s 

i It J } t i 1 i \OT.\ ,> tl \ i l U \ 

v * ' onneetion table an. at least one o 

<> v ^s t , 1 \ i tj t i 

connection table. 

Applicant's chairs 14 is a method that .includes analogous ieatares as claim i and is 
s d ib. ■ -ea-'.-<;>. : m o\ w. * ;.;aa 1 haabariy claims 1 5-22 op i direct \ >w „ team 
claim -It ovmbk with c 4 and for aualogou as v< r certain of the 

i } 0 4 , ! \ oa , 

< I 2 i > < „ n Hal -ws 

In y< - \c 2 ' s .o u-: \! i-d 

VI ' i (T) S 1 » f i < ' I vf 

a network comprises; 
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1 to !i (hi t 

|{?066; iisd 50067 1). 

Maisss I'i-iiS to i!xpitciri> U!M.:!j.<ie {fie roiatioii of received paefceff-. over ;s .n - :od 
of tssme. 

Beiissesrt teavhes: 

and mtiicattng So a console f.haf the h«» is a new host if, dtsritsu a period of tiiss-e 
T, -ha host transmits af teas* N packets and receive* at fes« N packets,, anii it the 
host bad never tnm&raUted and received more Jban K packets in any previous 
period «fUme wiiSs a daraUoo of T <cof. 4, lines 9-20 ami col. 5. loses 62-67 throng;; 
col. o, ih;es 1-2 7), Besissrm discloses a syOeo! for moaitariug umnectton request 
rate over a period of time assd a rejection threshold. 

\pp3iC X i m lie i t t ( " s ) s u v! * ii 

v n . *- , u accordingly. 

ncs eollcctca iron'! < s c c > 
However, applicant does not see M.alan as teaching any technique for detection ofnew hosts. As 
for Bthsset s . i,n '"ii ,* i m\s 

connections to thwart a denial of service attack, not the detection of new host connecting to a 
letwork \ (co 5, lines 62-6? throug 6 ines - ?) Beli ^ e es details of the 

i t t i U } C I N \ \ I V \ I 1 s 

indicating to a console that the host is a new boat if, during a period of time T, the host transmit 

\ > v\v Kin us* K packets, and if the host had never transmitted and 

««hu ' v 1 etsin any | eviou period its « f u> o ,reevvrmcr 

f K t ( f t S ! I t ! 

< ' < < s , < i if Do < P 1 Ci CO ( o >,K \0 t .usvou Uet 

specifically ct vnection ©quests s 1 n cessarj sra t st > in t t 1 
vtn ^ i < , ^ < i 1 s , , t , . sU jezeas, a, ii 

Belisseni, in order to send packets to a server, gateway aid the like connection requests are used. 

1'heexan ne reject U t § 6 and 7 under 35 X o> !! six ? ovc 

Vlah > v si is t JHo >0O2Q J28?!)hn cv ofHilietal (I S Patent so 6 8c 804) 

< hum 0 is all wahle ove aid Hi 1 least \U tnc > 1 > d i base claim 

L 
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As for claim ?, the examiner acknowledges that Maian et a!, fails to explicitly disclose 

i £ v < < . s. > uii M 1 J > U> ! ■> v. V iv. i w 

anomalies include and scanning attacks (col. 4, lines 35-41} and "the anomalies include 

5 he « < i u_.il on av. 5. lines 57~« 

Applicant contends that claim 7 is allowable for the reasons discussed in claim I . In 

td ! 1 i ions worms aid he n thorized a no i Id 1 does ! 

ss.eciue l'.,k i dcoct A ^ ;>pcs .Luv, si Hi s system. Moi.y\„: I ' fails to cure 

lii(dvvi es a \, >.) \,\-> . 5 vhether taken alone ot d n \<la< ami,) 
fail la - s <ocst cut; 

Hi prior art ited but not applied is seen as neither desu - ^ > • .!,-plseam\ 

r^ci! i I • ,i i ib> i 1 v.L m 

Please charge the Petition lor Extension of Time tee to Deposit Account no. 06-1050. 
Please apply my other charges or credits to Deposit Account no. 06-1050. 
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